How We Use Information About You

We collect and process information about you and/or your business to enable us, Synpulse Holding AG and/or any if its subsidiaries and affiliates to:

• provide our services to you;
• provide you with information that we think may be of interest to you; and
• to meet our legal or regulatory obligations.

For a more detailed description of how we use information about you, please see below.

When we send you information we think you might be interested in, you have the right to unsubscribe at any time by contacting us as set out here, or by following the unsubscribe instructions in our communications.

Sharing and Transferring Your Information

We may share information about you across the Synpulse Group, and with some third parties who may process personal data on our behalf under appropriate contractual and security safeguards. For more information, please see below.

We may transfer some information about you to countries outside the European Economic Area where Synpulse operates or where our approved service providers are located. When we do this, we will make sure your information remains adequately protected by applying appropriate transfer safeguards and guided by Synpulse’s Intra-Group Data Transfer Agreement. For more information, please see below.

Your Rights

Your rights under data protection laws include the following:

• Right to Information and Transparency – to be informed how and why your personal data is processed, including purposes, lawful bases, retention, cross-border safeguards, and your rights.
• Right to Access and Transfer – to obtain confirmation of processing and receive a copy of your personal data, and, where required by law, request its transmission to another controller (data portability).
• Right to Rectification – to request correction of inaccurate or incomplete personal data.
• Right to Erasure, Restriction, and Objection – to request deletion, restriction, or object to processing on legitimate grounds.
• Right to Withdraw Consent – to withdraw consent at any time where processing is based on consent.
• Direct Marketing and Automated Decision-Making – to object at any time to processing for direct marketing, profiling, or automated decision-making with legal or significant effects.

For more information about your privacy rights please see below.

If you have any questions or comments about privacy issues, or wish to exercise any of the rights set out above, please write to Group Data Protection Officer, Synpulse Holding AG, Sonnenbergstrasse 19, CH-6052 Hergiswil, Switzerland, or email dataprotection@synpulse.com.

Scroll down to see the privacy notice in full to take you to the more detailed sections of the notice.

1. Who this privacy statement applies to and what it covers
2. What personal data we collect
3. Personal data provided by or about third parties
4. How we use your personal data
5. The legal grounds we use for processing personal data
6. Sharing your personal data
7. Transferring your personal data
8. Protecting your personal data
9. How long we keep your personal data for
10. Your rights
11. Sending you marketing information
12. Contact
13. Changes to this privacy statement

In this statement:

“Data Protection Legislation” means (i) the Swiss Federal Act on Data Protection of 19 June 1992 (FDPA), (ii) the New Swiss Federal Act on Data Protection (nFADP) of 01 September 2023, and (iii) the EU General Data Protection Regulation 2016/679 (GDPR); (iv) the UK General Data Protection Regulation, (v) the Singapore Personal Data Protection Act 2012 (PDPA), (vi) the Philippines Data Privacy Act of 2012, (vii) the Australia Privacy Act 1988 (as amended, including the Privacy and Other Legislation Amendment Act 2024), noting that further reforms are under consultation and may expand individual rights and organizational obligations, (viii) the India Digital Personal Data Protection Act 2023 (enacted and to be brought into force by government notification), (ix) the China Personal Information Protection Law (PIPL), and (x) the Hong Kong Personal Data (Privacy) Ordinance (PDPO),together with all other applicable legislation relating to privacy or data protection and including any statute or statutory provision which amends, extends, consolidates or replaces the same.

 International and Regional Data Privacy Frameworks We rely on the EU-US Data Privacy Framework, the UK Extension, and the Swiss-US Data Privacy Framework, all of which are in force. In addition, cross-border transfers of personal data within the Synpulse Group are governed by Synpulse’s Intra-Group Data Transfer Agreement. Synpulse also complies with applicable data protection legislation in Asia Pacific jurisdictions where we operate, including the Singapore Personal Data Protection Act (PDPA), the Philippines Data Privacy Act, the Australia Privacy Act, the India Digital Personal Data Protection Act 2023 (upon its entry into force), the China Personal Information Protection Law (PIPL), and the Hong Kong Personal Data (Privacy) Ordinance (PDPO).

“Synpulse Group” refers to one or more Synpulse entities, organized as a Swiss privately held group of legal entities held by one holding company. Synpulse Holding AG is a company registered in Switzerland with registered number CHE-103.557.601 and registered office at Sonnenbergstrasse 19, 6052 Hergiswil, Switzerland.

“Process” means any operation performed on information about you, including to collect, record, organize, structure, store, alter, use, transfer, destroy or otherwise make available.

1. Who this privacy notice applies to and what it covers

This privacy notice applies to Synpulse Holding AG with registered office address Sonnenbergstrasse 19, 6052 Hergiswil, Switzerland, and the entities we own or control (“Synpulse”, “we”, “us” or “our”).

We are committed to protecting your privacy and handling your information openly and transparently.

This privacy notice explains how we will collect, handle, store and protect information about you when:

• providing services to you or our clients;
• you use our website; or
• performing any other activities that form part of the operation of our business.

When we refer to “our website” or “this website”, we mean any website, application, or digital platform owned, operated, or controlled by Synpulse or any member of the Synpulse Group, including synpulse.com and any successor or related domains.

Our website comprises various global, country, regional and practice-specific information. All of this is provided by Synpulse Holding AG or one of its subsidiaries or their related entities (collectively, the “Synpulse Group”). To learn more about Synpulse, its member firms, and their related entities, please see Legal Information.

This privacy notice also contains information about when we share your personal data with other members of the Synpulse Group and other third parties (for example, our service providers).

In this privacy notice, your information is sometimes called “personal data”. We may also refer to “processing” your data, which includes handling, collecting, protecting and storing it.

If you provide us with information through any website, application, or digital platform owned, operated, or controlled by Synpulse or any member of the Synpulse Group, we will process your personal data in accordance with this Privacy Notice and applicable data protection laws. This may include the transfer of personal data to other members of the Synpulse Group or to authorised service providers, subject to appropriate contractual, technical, and organisational safeguards and applicable cross-border transfer requirements.

If you provide us with information in any jurisdiction where Synpulse operates, including in Europe and other EMEA jurisdictions, the Americas, and the Asia-Pacific region, we will process your personal data in accordance with applicable local data protection laws and regulations. This includes, where applicable, compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss Federal Act on Data Protection (FADP), the Singapore Personal Data Protection Act (PDPA), the Philippines Data Privacy Act, the China Personal Information Protection Law (PIPL), the India Digital Personal Data Protection Act 2023 (upon its entry into force), the Hong Kong Personal Data (Privacy) Ordinance (PDPO), the Australia Privacy Act, and other equivalent data protection laws.

We implement appropriate organisational, technical, and governance measures to meet jurisdiction-specific requirements, including where required the appointment of data protection officers or equivalents, breach notification obligations, regulatory registrations or filings, and restrictions or conditions on cross-border transfers.

Where this website contains links to third-party websites, such websites are governed by their own privacy notices and data protection practices. We encourage you to review those notices before providing personal data on such websites. Synpulse accepts no responsibility or liability for the content of such third-party websites or for their data protection practices.

2. What personal data we collect

We may collect, record and use your personal data in physical and electronic form, and will hold, use and otherwise process that data in accordance with Synpulse’s Group Data Protection Policy and related policies, as well as applicable local data protection laws as set out in this statement.

When we provide services to you or our clients and perform due diligence checks in connection with our services (or discuss possible services we might provide), we will process personal data about you. We may also collect personal data from you when you use this website.

We may process your data because:

• you give it to us (for example, in a form on our website);
• other people lawfully give it to us (for example, your employer or adviser, or third-party service providers that we use to help operate our business);
• it is publicly available; or
• we are required to collect or process the data in order to comply with applicable legal or regulatory obligations (e.g., under tax, employment, court order, or supervisory authority requirements).

We process personal data only where it is adequate, relevant, and limited to what is necessary for the purposes for which it is collected and processed.

We may process personal data from you because we observe or infer that data about you from the way you interact with us or others. For example, to improve your experience of this website and to make sure that it is working effectively. For example, we (or our service providers) may use cookies (small text files stored in a user’s browser) or web beacons to collect personal data. More information on how we use these and other tracking technologies – and how you can control them – can be found in our cookie notice.

Use of cookies and similar technologies is subject to your consent, where required by applicable law. You may manage your preferences via our cookie or settings panel.

The personal data we process may include your:

• name, gender, age and date of birth;
• contact information, such as address, email, and mobile phone number;
• country of residence;
• lifestyle and social circumstances (for example, your hobbies) where consent was provided;
• family circumstances (for example, your marital status and dependents) where relevant to the service provided;
• employment and education details (for example, the organisation you work for, your job title and your education details);
• financial and tax-related information (for example your income, investments and tax residency) where required for regulatory, contractual, or due diligence purposes;
• postings or messages on any blogs, forums, platforms, wikis or social media applications and services that we provide (including with third parties);
• IP address, browser type and language, your access times;
• information in any complaints you make;
• details of how you use our products and services;
• CCTV footage and other information we collect when you access our premises for security, safety, and access-control purposes; and
• details of how you like to interact with us, and other similar information.

The personal data we collect may also include so called ‘sensitive’ or ‘special categories’ of personal data, such as details about your:

• dietary requirements (for example, when Synpulse would like to provide you with lunch during a meeting);
• health (for example, so that we can make it easy for you to access our buildings, products and services); and
• sexual orientation (for example, if you provide us with details of your spouse or partner).

Where required by law, we will obtain your explicit consent through a clear and separate opt-in and apply enhanced security, access controls, and purpose-bound retention.

If you choose not to provide, or object to us processing, the information we collect (see section 10 below), we may not be able to process your instructions or continue to provide some or all of our services to you or our client.

3. Personal data provided by or about third parties

When our client or another third party provides us personal data about you, we rely on their representations and contractual assurances that such personal data has been collected and shared with us in accordance with applicable data protection laws, including that the relevant data subjects have been informed of the processing and that a valid legal basis applies.

If we become aware that personal data has been collected or shared with us unlawfully, we will take appropriate steps in accordance with applicable law, which may include suspending or ceasing processing and informing the relevant party.

If any information you give us relates to a third party (such as a spouse, financial dependent, or joint account holder), by providing us with such personal data you confirm that, in line with the above provisions, you are authorised to disclose such information to us and that such disclosure is lawful in accordance with applicable data protection laws.

4. How we use your personal data

We process information about you and/or your business to enable us and other members of the Synpulse Group to provide our services to you, to provide you with information that we think may be of interest to you, and to meet our legal or regulatory obligations.

Some of your personal data may be used for other business purposes. Below are some examples.

Use of personal data to provide services to our clients

We use your personal data to provide services to you, our clients, or other third parties. , Where we process personal data on behalf of our clients as a data processor, such processing is governed by the applicable Master Services Agreement (MSA) and Data Processing Agreement (DPA). In the event of any inconsistency, the data protection provisions of the relevant MSA and DPA shall apply, without prejudice to applicable data protection laws and data subject rights. Such correspondence or processing may be with:

• you;
• other third parties or other members of the Synpulse Group;
• our service providers; or
• competent authorities.

We may also use your personal data to conduct due diligence checks relating to the services.

Because we provide a wide range of services to our clients or other third parties, the way we use personal data in relation to our services also varies. For example, we might use personal data about:

• a client’s employees to help the client improve its efficiency in handling such data; or
• a client’s employees and customers in the course of conducting a system implementation (or similar activity) for a client.

Use of personal data for other activities that form part of the operation of our business

We may also use your personal data in connection with:

• legal or regulatory requirements;
• requests and communications from competent authorities;
• client account opening and other administrative tasks;
• financial accounting, invoicing and risk analysis;
• relationship management, which may involve:

(a) sending you thought leadership or details of our products and services;

(b) contacting you for feedback on services;

(c) sending you event invitations; and

(d) other marketing or research purposes subject to applicable consent and opt-out requirements;

• recruitment and business development, which may involve:

(a) the use of testimonials from a client’s employees as part of our recruitment and business development materials (with that employee’s permission); and

(b) the use of third-party data sources to help us verify and improve the information we hold about key business relationships with individuals;

• services we receive from our professional advisors, such as lawyers, accountants and consultants;
• investigating or preventing security incidents; or
• protecting our rights and those of our clients.

Use of personal data collected via our website

In addition to the above, we may also use your personal data collected via our website:

• to manage and improve our website;
• to tailor the content of our website to give you a more personalized experience;
• to draw your attention to information about our products and services that may be of interest to you; or
• to manage and respond to any request you submit through our website.

5. The legal grounds we use for processing personal data

We are required by law to set out in this privacy notice the legal grounds on which we rely in order to process your personal data. We rely on one or more of the following lawful grounds:

• you have explicitly agreed to us processing your information for a specific reason;
• the processing is necessary to perform the agreement we have with you or to take steps to enter into an agreement with you;
• the processing is necessary for compliance with a legal obligation we have such as keeping records for tax purposes or providing information to a public body or law enforcement agency; or
• the processing is necessary for the purposes of a legitimate interest pursued by us or a third party, which might be:

(a) to provide our services to you or our clients and other third parties and ensure that our client engagements are well-managed;

(b) to prevent fraud;

(c) to protect our business interests;

(d) to ensure that complaints are investigated;

(e) to evaluate, develop or improve our services or products; or

(f) to keep you or our clients informed about relevant products and services and provide you with information, unless you have indicated at any time that you do not wish us to do so.

To the extent that we process any special categories of data relating to you for any of the purposes outlined above, we will do so because:

• you have given us your explicit consent to process that data;
• we are required by law to process that data in order to ensure we meet our ‘know your client’ and ‘anti-money laundering’ obligations (or other legal obligations imposed on us);
• the processing is necessary to carry out our obligations under employment, social security or social protection law;
• the processing is necessary for the establishment, exercise or defence of legal claims; or
• you have made the data manifestly public.

Please note that in certain circumstances it may remain lawful for us to continue processing your personal data even where you have withdrawn your consent, where another lawful legal basis applies.

This section reflects the lawful bases for processing personal data recognised under the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss Federal Act on Data Protection (FADP), and equivalent data protection laws in jurisdictions where Synpulse operates, including in the Americas and the Asia-Pacific region.

Where local data protection laws apply additional or alternative conditions (for example, consent-based regimes or statutory exceptions), we will process personal data in accordance with those local legal requirements.

The applicable legal basis will depend on the nature of the processing, the purpose for which the personal data is processed, and the jurisdiction in which the processing takes place.

6. Sharing your personal data

In connection with any of the purposes outlined in the “How we use your personal data?” section above, we may disclose details about you to:

• other members of the Synpulse Group or third parties that provide services or online platforms to us and/or the Synpulse Group;
• competent authorities (including courts and authorities regulating us and other members of the Synpulse Group) where we are legally required or permitted to do so;
• your employer and/or its advisers, or your advisers where necessary for the relevant engagement or with appropriate authorisation;
• anyone to whom we may transfer our rights and/or obligations under the Terms of Use;
• any other person or organisation after a restructure, sale or acquisition of any member of the Synpulse Group, provided such recipient uses your personal data only for the same purposes and subject to appropriate safeguards;
• credit reference agencies or other organisations that help us make credit decisions and reduce the incidence of fraud; and
• other third parties where disclosure is necessary for the performance of our services, compliance with legal or regulatory obligations, or the protection of our legitimate business interests, and subject in all cases to appropriate contractual, technical, and organisational safeguards.

Our website may host various blogs, forums, wikis and other social media applications or services that allow you to share content with other users (collectively “Social Media Applications”). Any personal data that you contribute to these social media applications can be read, collected and used by other users of the application. We have little or no control over these other users, so any information you contribute to these social media applications might not be handled in line with this privacy notice.

7. Transferring your personal data

Information we hold about you may be transferred to other countries (which may include countries outside the European Economic Area (“EEA”):

• where we do business (Click here to see the list of countries where we do business);
• which are linked to your engagement with us;
• from where you regularly receive or transmit information; or
• where our third parties conduct their activities.

Such countries may have less stringent privacy laws than the EEA or Switzerland, so any information held can become subject to such laws and disclosure requirements, including disclosure to governmental bodies, regulatory agencies and private persons. In addition, several countries have agreements under which information is exchanged with other countries for law enforcement, tax and other purposes.

When we, or our permitted third parties, receive or transfer your personal data outside the EEA, we will impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the EEA. We may also require the recipient to subscribe to international frameworks intended to enable secure data sharing.

We may also transfer your personal data when:

• the transfer is to a country deemed to provide adequate protection of your personal data by the European Commission; or
• where you have consented to the transfer.

If your personal data is transferred outside the EEA in other circumstances (for example, where required by law), we will make sure it remains adequately protected.

For jurisdictions with specific cross-border transfer rules, Synpulse complies with applicable local requirements. In Asia Pacific, this means for example that under the Singapore PDPA personal data may only be transferred overseas where the recipient provides a comparable level of protection, and under the Philippines Data Privacy Act transfers must follow National Privacy Commission rules and be supported by appropriate safeguards. China’s PIPL sets strict conditions for transfers, such as government security assessments, standard contractual clauses filed with the regulator, or certification under an approved scheme. India’s DPDP Act 2023 is expected to restrict transfers to jurisdictions approved by government notification once it comes into force. In Australia and Hong Kong, we are required to take reasonable steps to ensure that any overseas recipient provides protection comparable to local standards. In Hong Kong, please note that the cross-border transfer restrictions under Section 33 of the PDPO are not yet in force but may become applicable in the future.

Cross-border transfers within the Synpulse Group are governed by Synpulse’s Intra-Group Data Transfer Agreement and are subject to contractual, technical, and organisational safeguards.

Where required, we rely on the European Commission’s Standard Contractual Clauses (including the UK Addendum and Swiss Addendum, as applicable) and supplementary measures to safeguard cross-border transfers of personal data.

We may share non-personal, anonymized and aggregated information with third parties for several purposes, including data analytics, research, submissions, thought leadership and promotional activity.

8. Protecting your personal data

We use a range of measures to ensure we keep your personal data secure, accurate and up to date. These include:

• education and training to relevant staff to ensure they are aware of our privacy obligations when handling personal data;
• administrative and technical controls to restrict access to personal data to a ‘need to know’ basis;
• technological security measures, including firewalls, encryption and anti-virus software; and
• physical security measures, such as security passes to access our premises.

In certain jurisdictions, such as Singapore, the Philippines and China, local data protection laws impose specific requirements for security measures (including organizational, physical, and technical safeguards), and we implement controls to comply with these obligations.

The transmission of data over the internet (including by e-mail) is never completely secure. So, although we use appropriate measures to try to protect personal data, we cannot guarantee the security of data transmitted to us or by us. You should use secure channels where available and avoid sending special category personal data by unencrypted email.

9. How long we keep your personal data for

We seek to ensure that we only keep your personal data for the longest of:

• the period necessary for the relevant activity or services;
• any retention period that is required by law; or
• the period in which litigation or investigations might arise in respect of the services.

In jurisdictions such as Singapore, the Philippines, China and India, local data protection laws impose specific retention limitations, requiring that personal data be kept only for as long as it is necessary for the declared, specific, and legitimate purpose, after which it must be securely deleted or anonymized. Personal data is retained in accordance with Synpulse’s Group Data Protection Policy, applicable legal requirements, and internal retention and disposal standards, applying the stricter requirement where multiple regimes may apply.

10. Your rights

You have various rights in relation to your personal data. In particular, you have a right to:

• obtain confirmation that we are processing your personal data and request a copy of the personal data we hold about you;
• be informed about the processing of your personal data (i.e. for what purposes, what types, to what recipients it is disclosed, storage periods, any third-party sources from where it was obtained, confirmation of whether we undertake automated decision-making, including profiling, and to receive meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for you);
• be informed about the existence of automated decision-making, including profiling, where applicable, as well as the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where permitted by law and subject to appropriate safeguards;
• ask that we update the personal data we hold about you, or correct such personal data that you think is incorrect or incomplete;
• ask that we delete personal data that we hold about you, or restrict the way in which we use such personal data; withdraw consent to our processing of your personal data (to the extent such processing is based on previously obtained consent);
• receive a copy of the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit such personal data to another party (to the extent the processing is based on consent or a contract);
• ask us to stop or start sending you marketing messages at any time by using the contact details in section 12 below; and
• object to our processing of your personal data.

If you would like to access or see a copy of your personal data, you must ask us in writing. We will endeavour to respond within a reasonable period, and in any event within one month in line with Data Protection Legislation. We will comply with our legal obligations about your rights as a data subject. Where permitted by applicable law, we may request information to verify your identity before responding to a request.

In certain jurisdictions, such as Singapore, Australia and Hong Kong, the range of statutory rights is narrower than under the GDPR and may be limited to access, correction, and withdrawal of consent. In the Philippines, China and India, broader rights apply, including erasure, blocking or objection, and in some cases portability, subject to the specific conditions of local law.

To help us ensure that your information is up to date, let us know if any of your personal details change using the contact details set out in section 12.

You may also use the contact details in section 12 if you wish to make a complaint relating to your privacy.

11. Sending you marketing information

We and other members of the Synpulse Group may use your information from time to time to inform you by letter, telephone, email and other electronic methods about products and services (including those of third parties, provided you have given your explicit consent where required by law) that may be of interest to you or where otherwise permitted under applicable marketing and data protection laws.

In certain jurisdictions such as Singapore, the Philippines, China, India, Australia and Hong Kong, local laws impose specific requirements on the use of personal data for direct marketing, including the need to obtain prior consent or provide prescribed opt-out mechanisms. We will comply with these local requirements when sending you marketing information.

You may, at any time, ask us and/or other members of the Synpulse Group not to send marketing information to you by following the unsubscribe instructions in communications from us, or contacting us in the way described in section 12 below.

12. Contact

If you wish to exercise any of the rights relating to your information set out above, or if you have any questions or comments about privacy issues, or you wish to raise a complaint about how we are using your information you can contact us in the following ways:

• writing to the Group Data Protection Officer, Synpulse Holding AG, Sonnenbergstrasse 19, 6052 Hergiswil, Switzerland, or
• sending an email to dataprotection@synpulse.com with sufficient detail to enable us to identify your request and respond appropriately.

13. Changes to this privacy notice

We will continue to monitor developments in data protection laws globally, including reforms in the European Union and other EMEA jurisdictions, the Americas, and the Asia-Pacific region, as well as in any other jurisdictions where Synpulse operates, and will update this notice to reflect any new mandatory legal or regulatory requirements.

When we make changes to this privacy notice, we will amend the revision date at the top of this page. The modified or amended privacy notice will apply from that date. We encourage you to review this notice periodically to remain informed about how we are protecting your information.

Privacy Notice – Executive Summary

Synpulse Holding AG and its subsidiaries and affiliates (“Synpulse Group”) are committed to protecting personal data. This Privacy Notice explains:

• Scope: Applies to clients, business contacts, website users, and other individuals whose data we process.
• Data Collected: Identification and contact details, demographics, employment and education information, financial and tax-related data (where required), online identifiers, and usage data, and limited sensitive data (e.g., health or dietary requirements) where strictly necessary.
• Sources: Data provided by you, obtained from third parties lawfully authorised to share it, or publicly available sources.
• Use of Data: To deliver services, conduct due diligence, manage relationships, meet legal and regulatory obligations, improve offerings, operate and improve our website, protect our rights and security, and for marketing purposes (with opt-out rights).
• Legal Basis: Consent (where required), contract necessity, legal obligations, and/or Synpulse’s legitimate interests.
• Sharing: Within the Synpulse Group, with service providers, advisers, authorities, or other third parties where necessary.
• Cross-Border Transfers: Data may be transferred globally; Synpulse applies safeguards and complies with applicable local requirements.
• Cookies: Used for website functionality and analytics, subject to consent where required by law.
• Retention: Kept only as long as necessary for services, legal obligations, or potential disputes.
• Security: Technical, administrative, and physical measures in place in accordance with Group policies.
• Your Rights: Access, correction, erasure, objection, restriction, portability (where applicable), and withdrawal of consent.
• Contact: Group Data Protection Officer, Synpulse Holding AG, Switzerland – dataprotection@synpulse.com.
• Updates: Notice may change; the latest version applies.

How We Use Information About You

We collect and process information about you and/or your business to enable us, Synpulse Holding AG and/or any if its subsidiaries and affiliates to:

• provide our services to you;
• provide you with information that we think may be of interest to you; and
• to meet our legal or regulatory obligations.

For a more detailed description of how we use information about you, please see below.

When we send you information we think you might be interested in, you have the right to unsubscribe at any time by contacting us as set out here, or by following the unsubscribe instructions in our communications.

Sharing and Transferring Your Information

We may share information about you across the Synpulse Group, and with some third parties who may process personal data on our behalf under appropriate contractual and security safeguards. For more information, please see below.

We may transfer some information about you to countries outside the European Economic Area where Synpulse operates or where our approved service providers are located. When we do this, we will make sure your information remains adequately protected by applying appropriate transfer safeguards and guided by Synpulse’s Intra-Group Data Transfer Agreement. For more information, please see below.

Your Rights

Your rights under data protection laws include the following:

• Right to Information and Transparency – to be informed how and why your personal data is processed, including purposes, lawful bases, retention, cross-border safeguards, and your rights.
• Right to Access and Transfer – to obtain confirmation of processing and receive a copy of your personal data, and, where required by law, request its transmission to another controller (data portability).
• Right to Rectification – to request correction of inaccurate or incomplete personal data.
• Right to Erasure, Restriction, and Objection – to request deletion, restriction, or object to processing on legitimate grounds.
• Right to Withdraw Consent – to withdraw consent at any time where processing is based on consent.
• Direct Marketing and Automated Decision-Making – to object at any time to processing for direct marketing, profiling, or automated decision-making with legal or significant effects.

For more information about your privacy rights please see below.

If you have any questions or comments about privacy issues, or wish to exercise any of the rights set out above, please write to Group Data Protection Officer, Synpulse Holding AG, Sonnenbergstrasse 19, CH-6052 Hergiswil, Switzerland, or email dataprotection@synpulse.com.

Scroll down to see the privacy notice in full to take you to the more detailed sections of the notice.

1. Who this privacy statement applies to and what it covers
2. What personal data we collect
3. Personal data provided by or about third parties
4. How we use your personal data
5. The legal grounds we use for processing personal data
6. Sharing your personal data
7. Transferring your personal data
8. Protecting your personal data
9. How long we keep your personal data for
10. Your rights
11. Sending you marketing information
12. Contact
13. Changes to this privacy statement

In this statement:

“Data Protection Legislation” means (i) the Swiss Federal Act on Data Protection of 19 June 1992 (FDPA), (ii) the New Swiss Federal Act on Data Protection (nFADP) of 01 September 2023, and (iii) the EU General Data Protection Regulation 2016/679 (GDPR); (iv) the UK General Data Protection Regulation, (v) the Singapore Personal Data Protection Act 2012 (PDPA), (vi) the Philippines Data Privacy Act of 2012, (vii) the Australia Privacy Act 1988 (as amended, including the Privacy and Other Legislation Amendment Act 2024), noting that further reforms are under consultation and may expand individual rights and organizational obligations, (viii) the India Digital Personal Data Protection Act 2023 (enacted and to be brought into force by government notification), (ix) the China Personal Information Protection Law (PIPL), and (x) the Hong Kong Personal Data (Privacy) Ordinance (PDPO),together with all other applicable legislation relating to privacy or data protection and including any statute or statutory provision which amends, extends, consolidates or replaces the same.

 International and Regional Data Privacy Frameworks We rely on the EU-US Data Privacy Framework, the UK Extension, and the Swiss-US Data Privacy Framework, all of which are in force. In addition, cross-border transfers of personal data within the Synpulse Group are governed by Synpulse’s Intra-Group Data Transfer Agreement. Synpulse also complies with applicable data protection legislation in Asia Pacific jurisdictions where we operate, including the Singapore Personal Data Protection Act (PDPA), the Philippines Data Privacy Act, the Australia Privacy Act, the India Digital Personal Data Protection Act 2023 (upon its entry into force), the China Personal Information Protection Law (PIPL), and the Hong Kong Personal Data (Privacy) Ordinance (PDPO).

“Synpulse Group” refers to one or more Synpulse entities, organized as a Swiss privately held group of legal entities held by one holding company. Synpulse Holding AG is a company registered in Switzerland with registered number CHE-103.557.601 and registered office at Sonnenbergstrasse 19, 6052 Hergiswil, Switzerland.

“Process” means any operation performed on information about you, including to collect, record, organize, structure, store, alter, use, transfer, destroy or otherwise make available.

1. Who this privacy notice applies to and what it covers

This privacy notice applies to Synpulse Holding AG with registered office address Sonnenbergstrasse 19, 6052 Hergiswil, Switzerland, and the entities we own or control (“Synpulse”, “we”, “us” or “our”).

We are committed to protecting your privacy and handling your information openly and transparently.

This privacy notice explains how we will collect, handle, store and protect information about you when:

• providing services to you or our clients;
• you use our website; or
• performing any other activities that form part of the operation of our business.

When we refer to “our website” or “this website”, we mean any website, application, or digital platform owned, operated, or controlled by Synpulse or any member of the Synpulse Group, including synpulse.com and any successor or related domains.

Our website comprises various global, country, regional and practice-specific information. All of this is provided by Synpulse Holding AG or one of its subsidiaries or their related entities (collectively, the “Synpulse Group”). To learn more about Synpulse, its member firms, and their related entities, please see Legal Information.

This privacy notice also contains information about when we share your personal data with other members of the Synpulse Group and other third parties (for example, our service providers).

In this privacy notice, your information is sometimes called “personal data”. We may also refer to “processing” your data, which includes handling, collecting, protecting and storing it.

If you provide us with information through any website, application, or digital platform owned, operated, or controlled by Synpulse or any member of the Synpulse Group, we will process your personal data in accordance with this Privacy Notice and applicable data protection laws. This may include the transfer of personal data to other members of the Synpulse Group or to authorised service providers, subject to appropriate contractual, technical, and organisational safeguards and applicable cross-border transfer requirements.

If you provide us with information in any jurisdiction where Synpulse operates, including in Europe and other EMEA jurisdictions, the Americas, and the Asia-Pacific region, we will process your personal data in accordance with applicable local data protection laws and regulations. This includes, where applicable, compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss Federal Act on Data Protection (FADP), the Singapore Personal Data Protection Act (PDPA), the Philippines Data Privacy Act, the China Personal Information Protection Law (PIPL), the India Digital Personal Data Protection Act 2023 (upon its entry into force), the Hong Kong Personal Data (Privacy) Ordinance (PDPO), the Australia Privacy Act, and other equivalent data protection laws.

We implement appropriate organisational, technical, and governance measures to meet jurisdiction-specific requirements, including where required the appointment of data protection officers or equivalents, breach notification obligations, regulatory registrations or filings, and restrictions or conditions on cross-border transfers.

Where this website contains links to third-party websites, such websites are governed by their own privacy notices and data protection practices. We encourage you to review those notices before providing personal data on such websites. Synpulse accepts no responsibility or liability for the content of such third-party websites or for their data protection practices.

2. What personal data we collect

We may collect, record and use your personal data in physical and electronic form, and will hold, use and otherwise process that data in accordance with Synpulse’s Group Data Protection Policy and related policies, as well as applicable local data protection laws as set out in this statement.

When we provide services to you or our clients and perform due diligence checks in connection with our services (or discuss possible services we might provide), we will process personal data about you. We may also collect personal data from you when you use this website.

We may process your data because:

• you give it to us (for example, in a form on our website);
• other people lawfully give it to us (for example, your employer or adviser, or third-party service providers that we use to help operate our business);
• it is publicly available; or
• we are required to collect or process the data in order to comply with applicable legal or regulatory obligations (e.g., under tax, employment, court order, or supervisory authority requirements).

We process personal data only where it is adequate, relevant, and limited to what is necessary for the purposes for which it is collected and processed.

We may process personal data from you because we observe or infer that data about you from the way you interact with us or others. For example, to improve your experience of this website and to make sure that it is working effectively. For example, we (or our service providers) may use cookies (small text files stored in a user’s browser) or web beacons to collect personal data. More information on how we use these and other tracking technologies – and how you can control them – can be found in our cookie notice.

Use of cookies and similar technologies is subject to your consent, where required by applicable law. You may manage your preferences via our cookie or settings panel.

The personal data we process may include your:

• name, gender, age and date of birth;
• contact information, such as address, email, and mobile phone number;
• country of residence;
• lifestyle and social circumstances (for example, your hobbies) where consent was provided;
• family circumstances (for example, your marital status and dependents) where relevant to the service provided;
• employment and education details (for example, the organisation you work for, your job title and your education details);
• financial and tax-related information (for example your income, investments and tax residency) where required for regulatory, contractual, or due diligence purposes;
• postings or messages on any blogs, forums, platforms, wikis or social media applications and services that we provide (including with third parties);
• IP address, browser type and language, your access times;
• information in any complaints you make;
• details of how you use our products and services;
• CCTV footage and other information we collect when you access our premises for security, safety, and access-control purposes; and
• details of how you like to interact with us, and other similar information.

The personal data we collect may also include so called ‘sensitive’ or ‘special categories’ of personal data, such as details about your:

• dietary requirements (for example, when Synpulse would like to provide you with lunch during a meeting);
• health (for example, so that we can make it easy for you to access our buildings, products and services); and
• sexual orientation (for example, if you provide us with details of your spouse or partner).

Where required by law, we will obtain your explicit consent through a clear and separate opt-in and apply enhanced security, access controls, and purpose-bound retention.

If you choose not to provide, or object to us processing, the information we collect (see section 10 below), we may not be able to process your instructions or continue to provide some or all of our services to you or our client.

3. Personal data provided by or about third parties

When our client or another third party provides us personal data about you, we rely on their representations and contractual assurances that such personal data has been collected and shared with us in accordance with applicable data protection laws, including that the relevant data subjects have been informed of the processing and that a valid legal basis applies.

If we become aware that personal data has been collected or shared with us unlawfully, we will take appropriate steps in accordance with applicable law, which may include suspending or ceasing processing and informing the relevant party.

If any information you give us relates to a third party (such as a spouse, financial dependent, or joint account holder), by providing us with such personal data you confirm that, in line with the above provisions, you are authorised to disclose such information to us and that such disclosure is lawful in accordance with applicable data protection laws.

4. How we use your personal data

We process information about you and/or your business to enable us and other members of the Synpulse Group to provide our services to you, to provide you with information that we think may be of interest to you, and to meet our legal or regulatory obligations.

Some of your personal data may be used for other business purposes. Below are some examples.

Use of personal data to provide services to our clients

We use your personal data to provide services to you, our clients, or other third parties. , Where we process personal data on behalf of our clients as a data processor, such processing is governed by the applicable Master Services Agreement (MSA) and Data Processing Agreement (DPA). In the event of any inconsistency, the data protection provisions of the relevant MSA and DPA shall apply, without prejudice to applicable data protection laws and data subject rights. Such correspondence or processing may be with:

• you;
• other third parties or other members of the Synpulse Group;
• our service providers; or
• competent authorities.

We may also use your personal data to conduct due diligence checks relating to the services.

Because we provide a wide range of services to our clients or other third parties, the way we use personal data in relation to our services also varies. For example, we might use personal data about:

• a client’s employees to help the client improve its efficiency in handling such data; or
• a client’s employees and customers in the course of conducting a system implementation (or similar activity) for a client.

Use of personal data for other activities that form part of the operation of our business

We may also use your personal data in connection with:

• legal or regulatory requirements;
• requests and communications from competent authorities;
• client account opening and other administrative tasks;
• financial accounting, invoicing and risk analysis;
• relationship management, which may involve:

(a) sending you thought leadership or details of our products and services;

(b) contacting you for feedback on services;

(c) sending you event invitations; and

(d) other marketing or research purposes subject to applicable consent and opt-out requirements;

• recruitment and business development, which may involve:

(a) the use of testimonials from a client’s employees as part of our recruitment and business development materials (with that employee’s permission); and

(b) the use of third-party data sources to help us verify and improve the information we hold about key business relationships with individuals;

• services we receive from our professional advisors, such as lawyers, accountants and consultants;
• investigating or preventing security incidents; or
• protecting our rights and those of our clients.

Use of personal data collected via our website

In addition to the above, we may also use your personal data collected via our website:

• to manage and improve our website;
• to tailor the content of our website to give you a more personalized experience;
• to draw your attention to information about our products and services that may be of interest to you; or
• to manage and respond to any request you submit through our website.

5. The legal grounds we use for processing personal data

We are required by law to set out in this privacy notice the legal grounds on which we rely in order to process your personal data. We rely on one or more of the following lawful grounds:

• you have explicitly agreed to us processing your information for a specific reason;
• the processing is necessary to perform the agreement we have with you or to take steps to enter into an agreement with you;
• the processing is necessary for compliance with a legal obligation we have such as keeping records for tax purposes or providing information to a public body or law enforcement agency; or
• the processing is necessary for the purposes of a legitimate interest pursued by us or a third party, which might be:

(a) to provide our services to you or our clients and other third parties and ensure that our client engagements are well-managed;

(b) to prevent fraud;

(c) to protect our business interests;

(d) to ensure that complaints are investigated;

(e) to evaluate, develop or improve our services or products; or

(f) to keep you or our clients informed about relevant products and services and provide you with information, unless you have indicated at any time that you do not wish us to do so.

To the extent that we process any special categories of data relating to you for any of the purposes outlined above, we will do so because:

• you have given us your explicit consent to process that data;
• we are required by law to process that data in order to ensure we meet our ‘know your client’ and ‘anti-money laundering’ obligations (or other legal obligations imposed on us);
• the processing is necessary to carry out our obligations under employment, social security or social protection law;
• the processing is necessary for the establishment, exercise or defence of legal claims; or
• you have made the data manifestly public.

Please note that in certain circumstances it may remain lawful for us to continue processing your personal data even where you have withdrawn your consent, where another lawful legal basis applies.

This section reflects the lawful bases for processing personal data recognised under the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss Federal Act on Data Protection (FADP), and equivalent data protection laws in jurisdictions where Synpulse operates, including in the Americas and the Asia-Pacific region.

Where local data protection laws apply additional or alternative conditions (for example, consent-based regimes or statutory exceptions), we will process personal data in accordance with those local legal requirements.

The applicable legal basis will depend on the nature of the processing, the purpose for which the personal data is processed, and the jurisdiction in which the processing takes place.

6. Sharing your personal data

In connection with any of the purposes outlined in the “How we use your personal data?” section above, we may disclose details about you to:

• other members of the Synpulse Group or third parties that provide services or online platforms to us and/or the Synpulse Group;
• competent authorities (including courts and authorities regulating us and other members of the Synpulse Group) where we are legally required or permitted to do so;
• your employer and/or its advisers, or your advisers where necessary for the relevant engagement or with appropriate authorisation;
• anyone to whom we may transfer our rights and/or obligations under the Terms of Use;
• any other person or organisation after a restructure, sale or acquisition of any member of the Synpulse Group, provided such recipient uses your personal data only for the same purposes and subject to appropriate safeguards;
• credit reference agencies or other organisations that help us make credit decisions and reduce the incidence of fraud; and
• other third parties where disclosure is necessary for the performance of our services, compliance with legal or regulatory obligations, or the protection of our legitimate business interests, and subject in all cases to appropriate contractual, technical, and organisational safeguards.

Our website may host various blogs, forums, wikis and other social media applications or services that allow you to share content with other users (collectively “Social Media Applications”). Any personal data that you contribute to these social media applications can be read, collected and used by other users of the application. We have little or no control over these other users, so any information you contribute to these social media applications might not be handled in line with this privacy notice.

7. Transferring your personal data

Information we hold about you may be transferred to other countries (which may include countries outside the European Economic Area (“EEA”):

• where we do business (Click here to see the list of countries where we do business);
• which are linked to your engagement with us;
• from where you regularly receive or transmit information; or
• where our third parties conduct their activities.

Such countries may have less stringent privacy laws than the EEA or Switzerland, so any information held can become subject to such laws and disclosure requirements, including disclosure to governmental bodies, regulatory agencies and private persons. In addition, several countries have agreements under which information is exchanged with other countries for law enforcement, tax and other purposes.

When we, or our permitted third parties, receive or transfer your personal data outside the EEA, we will impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the EEA. We may also require the recipient to subscribe to international frameworks intended to enable secure data sharing.

We may also transfer your personal data when:

• the transfer is to a country deemed to provide adequate protection of your personal data by the European Commission; or
• where you have consented to the transfer.

If your personal data is transferred outside the EEA in other circumstances (for example, where required by law), we will make sure it remains adequately protected.

For jurisdictions with specific cross-border transfer rules, Synpulse complies with applicable local requirements. In Asia Pacific, this means for example that under the Singapore PDPA personal data may only be transferred overseas where the recipient provides a comparable level of protection, and under the Philippines Data Privacy Act transfers must follow National Privacy Commission rules and be supported by appropriate safeguards. China’s PIPL sets strict conditions for transfers, such as government security assessments, standard contractual clauses filed with the regulator, or certification under an approved scheme. India’s DPDP Act 2023 is expected to restrict transfers to jurisdictions approved by government notification once it comes into force. In Australia and Hong Kong, we are required to take reasonable steps to ensure that any overseas recipient provides protection comparable to local standards. In Hong Kong, please note that the cross-border transfer restrictions under Section 33 of the PDPO are not yet in force but may become applicable in the future.

Cross-border transfers within the Synpulse Group are governed by Synpulse’s Intra-Group Data Transfer Agreement and are subject to contractual, technical, and organisational safeguards.

Where required, we rely on the European Commission’s Standard Contractual Clauses (including the UK Addendum and Swiss Addendum, as applicable) and supplementary measures to safeguard cross-border transfers of personal data.

We may share non-personal, anonymized and aggregated information with third parties for several purposes, including data analytics, research, submissions, thought leadership and promotional activity.

8. Protecting your personal data

We use a range of measures to ensure we keep your personal data secure, accurate and up to date. These include:

• education and training to relevant staff to ensure they are aware of our privacy obligations when handling personal data;
• administrative and technical controls to restrict access to personal data to a ‘need to know’ basis;
• technological security measures, including firewalls, encryption and anti-virus software; and
• physical security measures, such as security passes to access our premises.

In certain jurisdictions, such as Singapore, the Philippines and China, local data protection laws impose specific requirements for security measures (including organizational, physical, and technical safeguards), and we implement controls to comply with these obligations.

The transmission of data over the internet (including by e-mail) is never completely secure. So, although we use appropriate measures to try to protect personal data, we cannot guarantee the security of data transmitted to us or by us. You should use secure channels where available and avoid sending special category personal data by unencrypted email.

9. How long we keep your personal data for

We seek to ensure that we only keep your personal data for the longest of:

• the period necessary for the relevant activity or services;
• any retention period that is required by law; or
• the period in which litigation or investigations might arise in respect of the services.

In jurisdictions such as Singapore, the Philippines, China and India, local data protection laws impose specific retention limitations, requiring that personal data be kept only for as long as it is necessary for the declared, specific, and legitimate purpose, after which it must be securely deleted or anonymized. Personal data is retained in accordance with Synpulse’s Group Data Protection Policy, applicable legal requirements, and internal retention and disposal standards, applying the stricter requirement where multiple regimes may apply.

10. Your rights

You have various rights in relation to your personal data. In particular, you have a right to:

• obtain confirmation that we are processing your personal data and request a copy of the personal data we hold about you;
• be informed about the processing of your personal data (i.e. for what purposes, what types, to what recipients it is disclosed, storage periods, any third-party sources from where it was obtained, confirmation of whether we undertake automated decision-making, including profiling, and to receive meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for you);
• be informed about the existence of automated decision-making, including profiling, where applicable, as well as the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where permitted by law and subject to appropriate safeguards;
• ask that we update the personal data we hold about you, or correct such personal data that you think is incorrect or incomplete;
• ask that we delete personal data that we hold about you, or restrict the way in which we use such personal data; withdraw consent to our processing of your personal data (to the extent such processing is based on previously obtained consent);
• receive a copy of the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit such personal data to another party (to the extent the processing is based on consent or a contract);
• ask us to stop or start sending you marketing messages at any time by using the contact details in section 12 below; and
• object to our processing of your personal data.

If you would like to access or see a copy of your personal data, you must ask us in writing. We will endeavour to respond within a reasonable period, and in any event within one month in line with Data Protection Legislation. We will comply with our legal obligations about your rights as a data subject. Where permitted by applicable law, we may request information to verify your identity before responding to a request.

In certain jurisdictions, such as Singapore, Australia and Hong Kong, the range of statutory rights is narrower than under the GDPR and may be limited to access, correction, and withdrawal of consent. In the Philippines, China and India, broader rights apply, including erasure, blocking or objection, and in some cases portability, subject to the specific conditions of local law.

To help us ensure that your information is up to date, let us know if any of your personal details change using the contact details set out in section 12.

You may also use the contact details in section 12 if you wish to make a complaint relating to your privacy.

11. Sending you marketing information

We and other members of the Synpulse Group may use your information from time to time to inform you by letter, telephone, email and other electronic methods about products and services (including those of third parties, provided you have given your explicit consent where required by law) that may be of interest to you or where otherwise permitted under applicable marketing and data protection laws.

In certain jurisdictions such as Singapore, the Philippines, China, India, Australia and Hong Kong, local laws impose specific requirements on the use of personal data for direct marketing, including the need to obtain prior consent or provide prescribed opt-out mechanisms. We will comply with these local requirements when sending you marketing information.

You may, at any time, ask us and/or other members of the Synpulse Group not to send marketing information to you by following the unsubscribe instructions in communications from us, or contacting us in the way described in section 12 below.

12. Contact

If you wish to exercise any of the rights relating to your information set out above, or if you have any questions or comments about privacy issues, or you wish to raise a complaint about how we are using your information you can contact us in the following ways:

• writing to the Group Data Protection Officer, Synpulse Holding AG, Sonnenbergstrasse 19, 6052 Hergiswil, Switzerland, or
• sending an email to dataprotection@synpulse.com with sufficient detail to enable us to identify your request and respond appropriately.

13. Changes to this privacy notice

We will continue to monitor developments in data protection laws globally, including reforms in the European Union and other EMEA jurisdictions, the Americas, and the Asia-Pacific region, as well as in any other jurisdictions where Synpulse operates, and will update this notice to reflect any new mandatory legal or regulatory requirements.

When we make changes to this privacy notice, we will amend the revision date at the top of this page. The modified or amended privacy notice will apply from that date. We encourage you to review this notice periodically to remain informed about how we are protecting your information.

Privacy Notice – Executive Summary

Synpulse Holding AG and its subsidiaries and affiliates (“Synpulse Group”) are committed to protecting personal data. This Privacy Notice explains:

• Scope: Applies to clients, business contacts, website users, and other individuals whose data we process.
• Data Collected: Identification and contact details, demographics, employment and education information, financial and tax-related data (where required), online identifiers, and usage data, and limited sensitive data (e.g., health or dietary requirements) where strictly necessary.
• Sources: Data provided by you, obtained from third parties lawfully authorised to share it, or publicly available sources.
• Use of Data: To deliver services, conduct due diligence, manage relationships, meet legal and regulatory obligations, improve offerings, operate and improve our website, protect our rights and security, and for marketing purposes (with opt-out rights).
• Legal Basis: Consent (where required), contract necessity, legal obligations, and/or Synpulse’s legitimate interests.
• Sharing: Within the Synpulse Group, with service providers, advisers, authorities, or other third parties where necessary.
• Cross-Border Transfers: Data may be transferred globally; Synpulse applies safeguards and complies with applicable local requirements.
• Cookies: Used for website functionality and analytics, subject to consent where required by law.
• Retention: Kept only as long as necessary for services, legal obligations, or potential disputes.
• Security: Technical, administrative, and physical measures in place in accordance with Group policies.
• Your Rights: Access, correction, erasure, objection, restriction, portability (where applicable), and withdrawal of consent.
• Contact: Group Data Protection Officer, Synpulse Holding AG, Switzerland – dataprotection@synpulse.com.
• Updates: Notice may change; the latest version applies.